For almost 20 years, the collecting, processing and storing of individuals’ data has been governed in the UK by the Data Protection Act 1998. By May 2018, this system will be totally overhauled.
There are many reasons why this change is necessary. Organisations today are using information in ways which we could not even have imagined when the Data Protection Act was drafted.
The new General Data Protection Regulation (GDPR) puts the onus on companies to understand the risks that they create for others and to mitigate those risks.
The UK Information Commissioner, Elizabeth Denham, has asked organisations to see the change to the GDPR as a chance to move away from the law as a box ticking exercise and instead viewing it as a framework that can be used to build a culture of privacy that operates through every aspect of your organisation.
The GDPR will apply in the UK from 25th May 2018, so the countdown is on to make sure your organisation embraces the new culture of privacy which the GDPR requires.
The UK Government has confirmed that Brexit will not affect the start of the GDPR. In Northern Ireland, with so many businesses and services operating across the physical border with Ireland and across borders in Europe, international consistency around Data Protection is critical.
Who does the GDPR affect?
The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. It also applies to organisations located outside of the EU if the relevant organisations offer goods or services to, or monitor the behaviour of, EU data subjects.
What are the penalties for non-compliance?
The GDPR apply to both data controllers and data processors, with a tiered approach having been adopted in relation to the imposition of penalties. For example, a company can be fined a sum equal to 2% of its annual global turnover for not having their records in order (Article 28), whereas the maximum fine that can be imposed on a company for the more serious infringements (i.e. violating the core of Privacy by Design concepts, or processing data without consent) is 4% of its annual global turnover, or €20 million.
What constitutes personal data?
Any information related to a natural person or ‘data subject’ that can be used to identify that person, either directly or indirectly. This can include a name, photo, e-mail address, bank details, social media posts, medical information, or a computer IP address.
What is the difference between a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Do data processors need 'explicit' or 'unambiguous' data subject consent and what is the difference?
Under the GDPR, companies will no longer be able to utilise indecipherable terms and conditions packed with legalese. A request for consent must be given in a clear, intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using plain language. Explicit consent is required only for processing sensitive personal data, meaning nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
Should you still continue with GDPR planning and preparation in light of an uncertain 'Brexit'?
You will need to comply with the GDPR if you process data about individuals in relation to the selling of goods or services to citizens in other EU countries, irrespective of the UK’s retention of the GDPR post-Brexit.
If your activities are limited to the UK, the position is much less clear, however, the UK Government has indicated that it will implement an equivalent legal mechanism. In light of the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, it is expected that this legislation will largely reflect the provisions contained in the GDPR.
Will the GDPR set up a ‘one-stop-shop’ for data privacy regulation?
Generally, the Commission, Parliament and Council are all in favour of the ‘one-stop-shop’ principle, with the Parliament also promoting a lead DPA and more involvement from other concerned DPAs.
How does the GDPR affect policy surrounding data breaches?
Proposed regulations surrounding data breaches relate mainly to the notification policies of companies that have been breached. Data breaches which pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
Does my business need to appoint a Data Protection Officer (DPO)?
Data Protection Officers must be appointed in the case of public authorities, organisations that engage in large scale systematic monitoring, or organisations that engage in large scale processing of sensitive personal data (Article 37). If an organisation does not fall into one of these categories, there is no requirement to appoint a DPO.
What is the difference between a regulation and a directive?
A regulation is a binding legislative act which must be applied in its entirety across the EU. A directive is a legislative act that sets out a goal that all EU countries must achieve, however, it is up to the individual countries to decide how this is implemented. While the previous legislation in this context was a directive, the GDPR is a regulation to be applied in its entirety across the EU.
What about data subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent, but in any case, this will not be below the age of 13.
When are the General Data Protection Regulations (“GDPR”) coming into effect?
The GDPR was approved by the EU Parliament in April 2016 and will come into effect in May 2018.
What is profiling?
The GDPR defines profiling as any form of automated processing of personal data in order to evaluate certain aspects relating to a natural person. It will not be prohibited by the GDPR, and can be of benefit to businesses as they seek to target marketing and business development activity. However, under the GDPR, profiling must be done in such a way that is clear and transparent which includes informing individuals of the existence of profiling and the consequences of it.
What steps can organisations take now to ensure that they process data transparently?
The GDPR will restate the existing onus on data processors to be open and honest about the ways in which they use personal data. In order to ensure that you, as a data processor, will be acting in compliance with the GDPR when it comes into force, you should ensure you are aware of the expanded list of information which you will be required to make available to data subjects. You should be giving thought to how you provide information to data subjects bearing in mind that such information must be in clear and plain language, in writing, and in an accessible form. Even now, consider tailoring your communications so that these comply with your transparency requirements and consider how, going forward, you will keep such communications up to date. These steps will form part of your ongoing compliance with the GDPR.